OpenBSD src changes summary for 2016-12-04 to 2016-12-11 inclusive ==================================================================
bin/ksh distrib/hppa distrib/loongson distrib/octeon distrib/sets distrib/sgi etc/netstart lib/libc lib/libcrypto lib/libssl regress/bin regress/lib regress/sbin regress/usr.bin regress/usr.sbin sbin/disklabel share/man share/misc sys/arch/amd64/conf sys/arch/loongson/dev sys/arch/loongson/include sys/arch/loongson/loongson sys/arch/macppc/dev sys/arch/mips64/include sys/arch/octeon/conf sys/arch/octeon/dev sys/arch/octeon/include sys/dev sys/dev/pci sys/dev/pv sys/dev/usb sys/net sys/net80211 sys/netinet usr.bin/dc usr.bin/doas usr.bin/ftp usr.bin/mandoc usr.bin/ssh usr.bin/tmux usr.sbin/dhcrelay usr.sbin/ntpd usr.sbin/ospfctl usr.sbin/syspatch usr.sbin/vmd == bin =============================================================== 01/10 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/bin ksh ~ exec.c > Fix for() loop indentation for TCASE in execute() and add some > braces for improved readability. Based on a diff from Kartik Agaram. > (millert@) ~ exec.c > In execute() we assign xerrorok to a dummy value if it is NULL > so there is no need to check xerrorok for NULL after that. > From Kartik Agaram. (millert@) ~ exec.c > When ERREXIT (set -e) is in effect, don't disable it after a > short-circuited `&&` or `||` chain in later iterations of `for` > loops. It should be disabled after a short-circuited `&&` or `||` > chain only in the *final* iteration of loops (as well as in > conditionals, which was already working). From Kartik Agaram. (millert@) ~ exec.c > I missed a bit of the indentation fix from Kartik Agaram. (millert@) == distrib =========================================================== 02/10 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib hppa ~ ramdisk/Makefile > Use makefs to build bsd.rd; build & boot tested by krw (natano@) loongson ~ ramdisk/Makefile > Use makefs to build bsd.rd; build & boot tested by visa (natano@) octeon ~ ramdisk/Makefile > Use makefs to build bsd.rd; tested by visa (natano@) sets ~ lists/comp/mi > sync (deraadt@) ~ lists/comp/mi > sync (deraadt@) ~ lists/comp/mi > sync (deraadt@) ~ lists/comp/mi > sync (deraadt@) ~ lists/comp/mi > sync (deraadt@) ~ lists/comp/mi > sync (deraadt@) ~ lists/comp/mi > sync (deraadt@) ~ lists/comp/mi > sync (deraadt@) ~ lists/comp/md.octeon > sync (visa@) ~ lists/comp/mi > sync (sthen@) sgi ~ ramdisk/Makefile > Use makefs to build bsd.rd; build & boot tested by visa (natano@) == etc =============================================================== 03/10 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc netstart ~ netstart > Do not lose the default route when netstart(8) is run a second time on > the interface pointed to by the default route. > Since the kernel no longer keep routes with dangling address pointer, > netstart(8) has to re-add the default route when the corresponding ifa > has been deleted and re-created. > deraadt@ points out that even if the previous semantic was not necessarily > better, a script like netstart(8) cannot totally fix the default route > problem. > Regression reported by and fix tested by Hrvoje Popovski. > ksh foo checked by halex@ (mpi@) == lib =============================================================== 04/10 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib libc ~ net/linkaddr.c > CVE-2016-6559: fix potential buffer overflow(s) in link_ntoa(3). > A specially crafted struct sockaddr_dl argument can trigger a stack > overflow of a static buffer in libc. An attacker may be able to > use this to write to arbitrary locations in the data segment. > From FreeBSD (glebius); OK deraadt@ mestre@ (millert@) ~ net/linkaddr.c > Fix a typo, decrement rem, don't increment for single digit hex bytes. > From Henri Kemppainen (millert@) ~ net/linkaddr.c > Fix regressions introduce in the fix for CVE-2016-6559. > From FreeBSD (glebius) (millert@) libcrypto ~ man/UI_new.3 > Add Copyright and license. > Mention that UI_free(3) accepts NULL. > One minor clarification from OpenSSL. (schwarze@) ~ man/Makefile + man/X509V3_get_d2i.3 + man/X509_ALGOR_dup.3 + man/X509_CRL_get0_by_serial.3 + man/X509_EXTENSION_set_object.3 + man/X509_LOOKUP_hash_dir.3 > import five newish X509 pages from OpenSSL (schwarze@) ~ man/X509_NAME_ENTRY_get_object.3 > Copyright and license (schwarze@) ~ man/X509_NAME_add_entry_by_txt.3 > Add Copyright and license. > Merge correction of buggy EXAMPLES from OpenSSL. (schwarze@) ~ man/X509_NAME_get_index_by_NID.3 > Add Copyright and license. > More explanations about X509_NAME_get_index_by_NID(3) from OpenSSL. > Merge a typo fix in EXAMPLES from OpenSSL. (schwarze@) ~ man/X509_NAME_print_ex.3 > Add Copyright and license. > Better explain the last argument of X509_NAME_oneline(3), from OpenSSL. > (schwarze@) ~ man/Makefile + man/X509_PUBKEY_new.3 > import X509_PUBKEY_new(3) from OpenSSL (schwarze@) ~ man/X509_STORE_CTX_get_error.3 > Copyright and license. > Never include <openssl/x509_vfy.h> directly; from OpenSSL. > Merge a typo fix from OpenSSL. (schwarze@) ~ man/X509_STORE_CTX_new.3 > Add Copyright and license. > Mention that X509_STORE_CTX_free(3) accepts NULL. (schwarze@) ~ man/X509_STORE_CTX_set_verify_cb.3 ~ man/X509_VERIFY_PARAM_set_flags.3 > Copyright and license (schwarze@) ~ man/Makefile + man/X509_check_ca.3 + man/X509_check_host.3 + man/X509_check_issued.3 > import three X509_check_*(3) manuals from OpenSSL (schwarze@) ~ man/Makefile + man/X509_STORE_set1_param.3 > import the relevant parts of X509_STORE_get0_param(3) from OpenSSL, but > since we don't have that function, call the page X509_STORE_set1_param(3) > (schwarze@) ~ man/X509V3_get_d2i.3 ~ man/X509_ALGOR_dup.3 ~ man/X509_LOOKUP_hash_dir.3 ~ man/X509_PUBKEY_new.3 ~ man/X509_STORE_set1_param.3 ~ man/X509_check_ca.3 ~ man/X509_check_host.3 ~ man/X509_check_issued.3 > various cleanup; (jmc@) ~ man/Makefile + man/X509_get_pubkey.3 + man/X509_get_serialNumber.3 + man/X509_get_subject_name.3 + man/X509_get_version.3 + man/X509_sign.3 + man/X509v3_get_ext_by_NID.3 > import the relevant parts of six more X509 manuals from OpenSSL (schwarze@) ~ man/X509_CRL_get0_by_serial.3 > delete two cross references to functions we don't have (schwarze@) ~ man/X509_new.3 > Add Copyright and license. > Merge documentation of X509_up_ref(3) from OpenSSL. (schwarze@) ~ man/X509_verify_cert.3 > Copyright and locense (schwarze@) ~ man/X509_new.3 ~ man/X509v3_get_ext_by_NID.3 > tweak previous; (jmc@) ~ man/Makefile + man/d2i_PrivateKey.3 > import d2i_PrivateKey(3) from OpenSSL (schwarze@) ~ man/d2i_ASN1_OBJECT.3 ~ man/d2i_DHparams.3 ~ man/d2i_ECPKParameters.3 ~ man/d2i_X509_ALGOR.3 ~ man/d2i_X509_CRL.3 ~ man/d2i_X509_NAME.3 ~ man/d2i_X509_REQ.3 ~ man/d2i_X509_SIG.3 ~ man/i2d_PKCS7_bio_stream.3 > Copyright and license (schwarze@) ~ man/d2i_DSAPublicKey.3 ~ man/d2i_RSAPublicKey.3 > Add Copyright and license. > Merge documentation of some additional {d2i,i2d}_{D,R}SA_PUBKEY_{bio,fp}(3) > functions from OpenSSL. (schwarze@) ~ man/d2i_PKCS8PrivateKey_bio.3 > Add Copyright and license. > Update a cross reference, from OpenSSL. (schwarze@) ~ man/d2i_X509.3 > Add Copyright and license. > Merge documentation of d2i_X509_AUX(3) and i2d_X509_AUX(3) from OpenSSL. > Correct the prototype of d2i_X509(3), from OpenSSL. > Merge warnings against "reuse" functionality from OpenSSL. (schwarze@) ~ man/BIO_f_buffer.3 ~ man/BIO_s_bio.3 ~ man/BUF_MEM_new.3 ~ man/crypto.3 ~ man/lh_stats.3 > replace all references to BIO(3) with references to BIO_new(3) (schwarze@) - man/BIO.3 ~ man/BIO_new.3 ~ man/BIO_push.3 ~ man/Makefile > We don't want section 3 manual pages with names that do not correspond > to functions, so delete the BIO(3) manual page and merge its content > into BIO_new(3) and BIO_push(3). > Sort the content of BIO_new(3) into a logical order > and improve the wording in various ways. > Add the required cross references to BIO_push(3). (schwarze@) ~ man/BIO_new.3 > tweak previous; (jmc@) ~ man/crypto.3 > Add Copyright and license. > Mention AES, Chacha20, ECDSA, OCSP, OPENSSL_config. > Improve many cross references. > Convert the table into some real text and polish some wording. > Stop talking about SSL. > Drop vague references to undocumented internals (objects, stack, txt_db). > Delete verbiage that says nothing or is duplicate. > Ultimately, the content of this page should be merged into > OPENSSL_init_crypto(3), but we don't have that function yet, > so the merge has to wait. (schwarze@) ~ man/BIO_ctrl.3 ~ man/BIO_f_base64.3 ~ man/BIO_f_cipher.3 ~ man/BIO_f_md.3 ~ man/BIO_f_null.3 ~ man/BIO_find_type.3 ~ man/BIO_read.3 ~ man/BIO_s_accept.3 ~ man/BIO_s_connect.3 ~ man/BIO_s_fd.3 ~ man/BIO_s_file.3 ~ man/BIO_s_mem.3 ~ man/BIO_s_null.3 ~ man/BIO_s_socket.3 ~ man/BIO_set_callback.3 ~ man/BIO_should_retry.3 ~ man/PEM_read_bio_PrivateKey.3 ~ man/PEM_write_bio_PKCS7_stream.3 ~ man/d2i_PKCS8PrivateKey_bio.3 ~ man/i2d_PKCS7_bio_stream.3 > make sure that all the BIO pages point back to the master page BIO_new(3) > (schwarze@) ~ man/EC_GFp_simple_method.3 ~ man/EC_GROUP_copy.3 ~ man/EC_GROUP_new.3 ~ man/EC_KEY_new.3 ~ man/EC_POINT_add.3 ~ man/EC_POINT_new.3 ~ man/OCSP_REQUEST_new.3 ~ man/OCSP_cert_to_id.3 ~ man/OCSP_request_add1_nonce.3 ~ man/OCSP_resp_find_status.3 ~ man/OCSP_response_status.3 ~ man/OCSP_sendreq_new.3 ~ man/d2i_ECPKParameters.3 ~ man/d2i_PrivateKey.3 > Delete most references to crypto(3). That page isn't useful enough > to be pointed to from random individual pages. (schwarze@) ~ man/X509V3_get_d2i.3 > We don't support Certificate Transparency Extensions and > we don't define preprocessor constants for the related NIDs, > so delete the subsection discussing them. (schwarze@) ~ man/evp.3 > Copyright and license (schwarze@) ~ man/x509.3 > Copyright and license (schwarze@) ~ man/d2i_ASN1_OBJECT.3 ~ man/d2i_DHparams.3 ~ man/d2i_DSAPublicKey.3 ~ man/d2i_PKCS8PrivateKey_bio.3 ~ man/d2i_PrivateKey.3 ~ man/d2i_RSAPublicKey.3 ~ man/d2i_X509.3 ~ man/d2i_X509_ALGOR.3 ~ man/d2i_X509_CRL.3 ~ man/d2i_X509_NAME.3 ~ man/d2i_X509_REQ.3 ~ man/d2i_X509_SIG.3 > various cleanup; (jmc@) ~ man/ASN1_STRING_print_ex.3 ~ man/des_read_pw.3 ~ man/ec.3 ~ man/i2d_PKCS7_bio_stream.3 ~ man/x509.3 > minor cleanup; (jmc@) ~ man/BN_CTX_start.3 ~ man/DES_set_key.3 ~ man/DSA_set_method.3 ~ man/HMAC.3 ~ man/engine.3 > some Vt fixes; (jmc@) ~ man/X509_STORE_CTX_get_ex_new_index.3 > Copyright and license; jmc@ noticed that is forgot this file (schwarze@) ~ man/X509_STORE_set_verify_cb_func.3 > Add Copyright and license; jmc@ noticed that i missed this file. > I'm not merging documentation for X509_STORE_set_verify_func(3) > from OpenSSL because their documentations does not appear to match > the code we have, and i don't understand what the code does. (schwarze@) ~ man/BN_BLINDING_new.3 ~ man/BN_CTX_new.3 ~ man/BN_CTX_start.3 ~ man/BN_add.3 ~ man/BN_add_word.3 ~ man/BN_bn2bin.3 ~ man/BN_cmp.3 ~ man/BN_copy.3 ~ man/BN_generate_prime.3 ~ man/BN_get0_nist_prime_521.3 ~ man/BN_mod_inverse.3 ~ man/BN_mod_mul_montgomery.3 ~ man/BN_mod_mul_reciprocal.3 ~ man/BN_num_bytes.3 ~ man/BN_rand.3 ~ man/BN_set_bit.3 ~ man/BN_set_negative.3 ~ man/BN_swap.3 ~ man/BN_zero.3 ~ man/bn_dump.3 ~ man/crypto.3 ~ man/dh.3 ~ man/dsa.3 ~ man/rsa.3 > replace all references to bn(3) with BN_new(3), > and make sure all BN*(3) pages point back to BN_new(3) (schwarze@) - man/bn.3 ~ man/BN_new.3 ~ man/Makefile > Merge bn(3) into BN_new(3). > OpenSSL removed bn(3) without replacement, but the introductory > text does seem helpful, and it is good for a sub-library to have a > central page pointing to all other pages and pointed at from all > other pages of the sub-library. (schwarze@) ~ man/bn_dump.3 > Add Copyright and license; jmc@ noticed that i missed this file. > (schwarze@) ~ man/des_read_pw.3 > Add Copyright and license; jmc@ noticed that i forgot this file. > Correct the header: It's <openssl/ui_compat.h>, not <openssl/des_old.h>. > Delete documentation of des_read_password(3) and des_read_2passwords(3) > which no longer exist. > Probably, the rest of this ought to be deleted as well... (schwarze@) ~ man/DH_generate_key.3 ~ man/DH_generate_parameters.3 ~ man/DH_get_ex_new_index.3 ~ man/DH_set_method.3 ~ man/DH_size.3 ~ man/DSA_dup_DH.3 ~ man/RSA_print.3 ~ man/crypto.3 ~ man/d2i_DHparams.3 ~ man/dsa.3 ~ man/engine.3 ~ man/rsa.3 > Replace all references to dh(3) with DH_new(3). > Make sure that all DH pages point back to DH_new(3). (schwarze@) - man/dh.3 ~ man/DH_new.3 ~ man/Makefile > Merge one sentence and the references from dh(3) to DH_new(3) and > discard the rest of the text. There is no value in documenting > some of the fields of a structure and then going on to say that the > structure is intended as opaque. Besides, i doubt that we want > such strong marketing of ENGINE support. (schwarze@) ~ man/DSA_SIG_new.3 ~ man/DSA_do_sign.3 ~ man/DSA_dup_DH.3 ~ man/DSA_generate_key.3 ~ man/DSA_generate_parameters.3 ~ man/DSA_get_ex_new_index.3 ~ man/DSA_set_method.3 ~ man/DSA_sign.3 ~ man/DSA_size.3 ~ man/ECDSA_SIG_new.3 ~ man/crypto.3 ~ man/d2i_DSAPublicKey.3 > Change all references to dsa(3) to point to DSA_new(3). > Make sure all DSA pages point back to DSA_new(3). (schwarze@) - man/dsa.3 ~ man/DSA_new.3 ~ man/Makefile > Merge one sentence and the references from dsa(3) to DSA_new(3) and > discard the rest of the text. There is no value in documenting > some of the fields of a structure and then going on to say that the > structure is intended as opaque. Besides, i doubt that we want > such strong marketing of ENGINE support. (schwarze@) ~ man/DSA_new.3 ~ man/engine.3 ~ man/rsa.3 > some fixes for the dsa.3 -> DSA_new.3 changes; (jmc@) ~ man/BN_get0_nist_prime_521.3 > add missing section number to Xr; (jmc@) ~ man/ECDSA_SIG_new.3 ~ man/EVP_PKEY_set1_RSA.3 ~ man/RSA_blinding_on.3 ~ man/RSA_check_key.3 ~ man/RSA_generate_key.3 ~ man/RSA_get_ex_new_index.3 ~ man/RSA_padding_add_PKCS1_type_1.3 ~ man/RSA_print.3 ~ man/RSA_private_encrypt.3 ~ man/RSA_public_encrypt.3 ~ man/RSA_set_method.3 ~ man/RSA_sign.3 ~ man/RSA_sign_ASN1_OCTET_STRING.3 ~ man/RSA_size.3 ~ man/crypto.3 ~ man/d2i_RSAPublicKey.3 ~ man/engine.3 > Change all references to rsa(3) to point to RSA_new(3) instead. > Make sure all RSA pages point back to RSA_new(3). (schwarze@) - man/rsa.3 ~ man/Makefile ~ man/RSA_new.3 > Merge all of rsa(3) into RSA_new(3). > In this case, keep the text about individual struct fields > because it contains some actual information. (schwarze@) - man/ec.3 ~ man/ECDSA_SIG_new.3 ~ man/EC_GFp_simple_method.3 ~ man/EC_GROUP_copy.3 ~ man/EC_GROUP_new.3 ~ man/EC_KEY_new.3 ~ man/EC_POINT_add.3 ~ man/EC_POINT_new.3 ~ man/Makefile ~ man/crypto.3 ~ man/d2i_ECPKParameters.3 > Distribute the text of ec(3) to the individual EC manuals where it belongs. > Make sure EC_GROUP_new(3) points to all EC manuals and all EC manuals > point back to EC_GROUP_new(3), and add some other useful links as well. > Change all links to ec(3) to point to EC_GROUP_new(3) instead. (schwarze@) ~ man/ASN1_generate_nconf.3 ~ man/CONF_modules_load_file.3 ~ man/Makefile ~ man/OPENSSL_config.3 + man/openssl.cnf.5 + man/x509v3.cnf.5 > import openssl.cnf(5) and x509v3.cnf(5) from OpenSSL; > below OpenBSD quality standards, but better than nothing... (schwarze@) libssl ~ man/SSL_library_init.3 > Add Copyright and license. > In the SYNOPSIS, show prototypes, not #defines. > Delete a note about ancient OpenSSL versions. (schwarze@) ~ man/SSL_read.3 > Add Copyright and license. > Merge documentation of SSL_peek(3) from OpenSSL. > Stop taking about SSLv2. > Many wording improvements, most from OpenSSL. (schwarze@) ~ man/SSL_load_client_CA_file.3 ~ man/SSL_rstate_string.3 ~ man/SSL_session_reused.3 ~ man/SSL_set_bio.3 ~ man/SSL_set_connect_state.3 ~ man/SSL_set_fd.3 ~ man/SSL_set_session.3 ~ man/SSL_set_shutdown.3 ~ man/SSL_set_verify_result.3 ~ man/SSL_state_string.3 ~ man/SSL_want.3 > Copyright and license (schwarze@) ~ man/SSL_new.3 ~ man/SSL_shutdown.3 > Add Copyright and license. > Stop talking about SSLv2 and SSLv3. (schwarze@) ~ man/SSL_pending.3 > Add Copyright and license. > Wording improvements and a bit of additional information from OpenSSL. > (schwarze@) ~ man/SSL_write.3 > Add Copyright and license. > Stop talking about SSLv2 and SSLv3. > Some minor tweaks. (schwarze@) ~ s3_srvr.c > Convert ssl3_send_server_hello() to CBB. > ok beck@ doug@ (jsing@) ~ s3_clnt.c > Cleanup some of ssl3_send_client_kex_rsa() - tmp_buf is really the > premaster secret, so name it accordingly. Also, remove bogus assignment > of master_key_length - the correct value is assigned when the master_key > is set. > ok beck@ doug@ (jsing@) ~ s23_clnt.c ~ s3_clnt.c ~ ssl_lib.c ~ ssl_locl.h > Convert ssl_cipher_list_to_bytes() to CBB, changing the function to return > the number of bytes written via an explicit *outlen argument and retaining > the return value to indicate success or failure. > ok doug@ (jsing@) ~ man/d2i_SSL_SESSION.3 > Add Copyright and license. > Add one cross reference, from OpenSSL. (schwarze@) ~ man/DTLSv1_listen.3 ~ man/SSL_accept.3 ~ man/SSL_connect.3 ~ man/SSL_do_handshake.3 ~ man/SSL_get_fd.3 ~ man/SSL_get_rbio.3 ~ man/SSL_read.3 ~ man/SSL_set_bio.3 ~ man/SSL_set_fd.3 ~ man/SSL_shutdown.3 ~ man/SSL_write.3 > replace all references to BIO(3) with references to BIO_new(3) (schwarze@) ~ s3_both.c ~ s3_clnt.c ~ s3_lib.c ~ s3_srvr.c ~ ssl_locl.h > Convert certificate handshake message generation to CBB, with some clean > up and restructure. > This also adds CBB based variants of the ssl3_handshake_msg_{start,finish} > functions - for the time being these use a CBB to build the messages, then > copy back into the init_buf. > ok doug@ (jsing@) ~ d1_both.c ~ d1_clnt.c ~ d1_srvr.c ~ ssl_locl.h > Now that ssl3_send_{client,server}_certificate() are using the common > handshake functions, we can remove more copied code from DTLS. (jsing@) ~ s3_clnt.c > Convert ssl3_send_client_kex_rsa() to CBB. > ok doug@ (jsing@) ~ man/Makefile + man/SSL_SESSION_new.3 > New manual page SSL_SESSION_new(3) written from scratch. > The function prototype is listed in ssl(3) and <openssl/ssl.h>, so > it's clearly a public interface, but OpenSSL has no documentation > about it whatsoever. (schwarze@) ~ man/SSL_SESSION_free.3 > Add Copyright and license. > Garbage collect empty RETURN VALUES section. > Delete useless cross reference to ssl(3). > Add cross reference to SSL_SESSION_new(3). (schwarze@) ~ man/SSL_CTX_get_ex_new_index.3 ~ man/SSL_CTX_set_tmp_rsa_callback.3 ~ man/SSL_SESSION_get_ex_new_index.3 ~ man/SSL_SESSION_get_time.3 ~ man/SSL_get_ex_data_X509_STORE_CTX_idx.3 ~ man/SSL_get_ex_new_index.3 > Copyright and license for the remaining manuals in this directory > (schwarze@) ~ man/SSL_CTX_set_tmp_rsa_callback.3 > s/SSL_CTX_need_tmp_rsa/SSL_CTX_need_tmp_RSA/ > because that's what <openssl/ssl.h> #defines. > That's likely a typo in the header file because all the other > functions are called *tmp_rsa*(). But it would be a bad idea to > fix such a bug in interfaces that are only provided for backward > compatibility in the first place, so i'm adjusting the manual to > be bug-compatible with the code, for now. > But, pretty please, for the next major bump, somebody go get Bob's > flensing knife and excise this part of the interface. Like, export > ciphers? Really? (schwarze@) ~ man/Makefile + man/SSL_SESSION_print.3 > An SSL_SESSION_print(3) manual written from scratch. It's clearly > a public interface since it's listed both in ssl(3) and in > <openssl/ssl.h>. Nothing to pilfer from OpenSSL in this case... > (schwarze@) ~ ssl_asn1.c > Ensure that we zero memory used to hold the ASN.1 encoded session, since > this contains the session master key. > ok deraadt@ doug@ (jsing@) ~ s3_srvr.c > Ensure that we zero memory that contiansthe ASN.1 encoded session, since > this contains the session master key. > ok deraadt@ doug@ (jsing@) ~ s3_clnt.c > Convert ssl3_send_client_kex_dhe() to CBB. > ok doug@ (jsing@) ~ man/SSL_load_client_CA_file.3 > Add documentation for SSL_add_file_cert_subjects_to_stack(3) and > SSL_add_dir_cert_subjects_to_stack(3), written from scratch. > Both functions are listed in ssl(3) and <openssl/ssl.h> and recommended > for the use by browsers in source code comments, so they are clearly > public interfaces. > Mention deduplication. > Purge some duplicate text and improve some wording while here. > Two additional cross references instead of the useless ssl(3). > Add HISTORY, AUTHORS, and BUGS. > It is depressing that BUGS (purely from code inspection) became > longer than the DESCRIPTION. (schwarze@) ~ man/Makefile + man/SSL_dup_CA_list.3 > New SSL_dup_CA_list(3) manual written from scratch. > Mentioned in ssl(3) and <openssl/ssl.h>, so it is public. (schwarze@) ~ man/Makefile + man/SSL_dup.3 > Write new SSL_dup(3) manual from scratch. This function is listed > in ssl(3) and <openssl/ssl.h>, so it is clearly public. (schwarze@) ~ man/Makefile + man/SSL_copy_session_id.3 > Write SSL_copy_session_id(3) manual from scratch. This function is > listed in ssl(3) and <openssl/ssl.h>, so it's clearly a public interface. > We might wish to merge the improved code from OpenSSL 1.1.0, > but that's major bump, so i'm documenting the BUGS for now. (schwarze@) ~ man/SSL_read.3 > add missing .Nm SSL_peek in the NAME section (schwarze@) ~ man/Makefile + man/SSL_renegotiate.3 > Write SSL_renegotiate(3) manual from scratch; this function is listed > in ssl(3) and <openssl/ssl.h>, so it's clearly a public interface. > More could probably be said, the code looks somewhat mysterious to me, > but i think this stub is already better than nothing. (schwarze@) ~ man/SSL_get_version.3 > Document SSL_version(3). It's listed in ssl(3) and <openssl/ssl.h>, > so it's clearly a public interface. (schwarze@) ~ man/Makefile ~ man/SSL_renegotiate.3 + man/SSL_get_certificate.3 + man/SSL_get_state.3 + man/SSL_num_renegotiations.3 > New manual pages SSL_get_certificate(3), SSL_get_state(3), and > SSL_num_renegotiations(3) written from scratch. These functions > are listed in ssl(3) and <openssl/ssl.h>, so they are clearly public. > (schwarze@) ~ man/Makefile + man/SSL_get_shared_ciphers.3 > Write an SSL_get_shared_ciphers(3) manual from scratch; another one > where BUGS is longer than DESCRIPTION. The function is listed in > ssl(3) and <openssl/ssl.h>, so it's clearly public. > The code looks slightly mysterious to me, so it would be welcome if > somebody more familiar with TLS protocols could check factual accuracy. > (schwarze@) ~ man/ssl.3 > Add Copyright and license. > Delete all the function prototypes. > They are all available from their individual manual pages. > Here, they were incomplete and nothing but a maintenance nightmare. > Add several missing cross reference, such that > this page now references all libssl manual pages. > Delete a sentence that said nothing and correct a typo. > Now all libssl manuals have proper Copyright notices and licenses, > and i have merged all improvements from OpenSSL that i could find. > (schwarze@) == regress =========================================================== 05/10 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/regress bin ~ ksh/obsd-regress.t > Fixes descriptions for seterror tests 1, 2 and 4. > Add seterror tests 8-10 for better "set -e" coverage. > Add seterror-11 test to exercise the bug with "set -e" and > short-ciruited "&&" chains. > From Kartik Agaram (millert@) ~ ksh/obsd-regress.t > Remove and-list-error-3 test, it is obsoleted by seterror-11 (millert@) lib ~ libssl/unit/cipher_list.c > Update regress test to handle change to ssl_cipher_list_to_bytes(). > (jsing@) sbin ~ route/rttest14.ok ~ route/rttest16.ok > Update to match recent changes. > IPv6 multicast "All Nodes Address" and "All Routers Address" routes are > now attached to the corresponding interface. > ok bluhm@ (mpi@) usr.bin ~ mandoc/roff/args/roff.out_ascii ~ mandoc/roff/args/roff.out_lint > enable commented parts of the test, they seem to work now (schwarze@) ~ mandoc/roff/args/roff.in > enable commented parts of the test, they seem to work now (schwarze@) ~ mandoc/roff/args/man.in ~ mandoc/roff/args/man.out_ascii ~ mandoc/roff/args/man.out_lint > comment out non-working parts of the test with .ig rather than \", > this is not supposed to test whitespace at the end of comments; > noticed by bluhm@ who sent a different patch (schwarze@) ~ mandoc/char/space/Makefile + mandoc/char/space/trailing-mdoc.in + mandoc/char/space/trailing-mdoc.out_ascii + mandoc/char/space/trailing-mdoc.out_lint > test different kinds of the "WARNING: whitespace at end of input line"; > bluhm@ noticed that this area can grow regressions (schwarze@) usr.sbin ~ arp/arptest1.ok ~ arp/arptest2.ok ~ arp/arptest3.ok ~ arp/arptest4.ok ~ arp/arptest5.ok ~ arp/arptest6.ok > Spacing in arp -a output has changed, adapt test. (bluhm@) == sbin ============================================================== 06/10 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin disklabel ~ disklabel.8 > move the text describing the % and & units to a better place; > diff from jerome frgacic, tweaked by myself > ok krw millert (jmc@) == share ============================================================= 07/10 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share man + man4/xbf.4 > xbf(4) manual page (mikeb@) ~ man4/pvbus.4 ~ man4/Makefile > Add xbf(4) (mikeb@) ~ man4/ix.4 > Mention X552, don't mention X557 which is a PHY (mikeb@) ~ man4/pvbus.4 ~ man4/xbf.4 > tweak previous; (jmc@) ~ man4/iwm.4 > Update iwm(4) CAVEATS section; MIMO is now supported (stsp@) ~ man9/ieee80211_radiotap.9 > Document how an MCS index is represented in ieee80211_radiotap(9). (stsp@) misc ~ inter.phone > Add missing area codes for Poland, and fix an erroneous entry. (fcambus@) == sys =============================================================== 08/10 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys arch/amd64/conf ~ GENERIC > Add a commented out entry for xbf(4) > xbf(4) driver creates a shim on top of Xen I/O rings and exports > it as a SCSI adaptor with a single target for a disk or a cdrom. > The disks that are attached to it are managed by the sd(4) driver, > but thankfully OpenBSD users do not require any migration strategy > to move from emulated wd(4) disks to paravirtualized ones since > disklabel UIDs are used by default in /etc/fstab making referencing > particular partitions independent from the underlying device driver. > (mikeb@) arch/loongson/dev ~ kb3310.c ~ stsec.c > Harmonize battery state thresholds accross platforms. > Use the same values hardcoded in sys/dev/acpi/acpi.c where possible. > OK visa@ (fcambus@) arch/loongson/include ~ autoconf.h > Determine the available CPUs. (visa@) arch/loongson/loongson ~ generic3a_machdep.c ~ loongson3_intr.c ~ machdep.c > Determine the available CPUs. (visa@) arch/macppc/dev ~ apm.c > Harmonize battery state thresholds accross platforms. > Use the same values hardcoded in sys/dev/acpi/acpi.c where possible. > OK visa@ (fcambus@) arch/mips64/include ~ pmap.h > Get PTE shift using PTE_LOG. (visa@) arch/octeon/conf ~ GENERIC ~ RAMDISK ~ files.octeon > Add fdt_attach_args and simplebus for implementing fdt-capable > drivers on octeon. Adapted from armv7. > ok kettenis@ (visa@) arch/octeon/dev ~ octeon_intr.c > Add handling for the second interrupt bank. > Needed by an upcoming driver. (visa@) ~ octeon_iobus.c + simplebus.c + simplebusvar.h > Add fdt_attach_args and simplebus for implementing fdt-capable > drivers on octeon. Adapted from armv7. > ok kettenis@ (visa@) ~ octeon_intr.c > Add a routine for setting up interrupt handlers using fdt. > ok kettenis@ (visa@) arch/octeon/include + fdt.h > Add fdt_attach_args and simplebus for implementing fdt-capable > drivers on octeon. Adapted from armv7. > ok kettenis@ (visa@) ~ intr.h > Add a routine for setting up interrupt handlers using fdt. > ok kettenis@ (visa@) dev ~ rnd.c > fix spelling errors and typos, from Michael W. Bombardieri (deraadt@) dev/pci ~ if_iwm.c > Make sure iwm(4) only calls ieee80211_mira_choose() while in RUN state. > Should fix "panic: timeout_add: not initialized" reported by danj@ (stsp@) ~ ixgbe_x550.c > Let X552 SFP+ boot without a module plugged in > Due to insufficient error handling X552 SFP+ card isn't configured > properly on boot when an SFP+ module is not plugged in. As a side > effect the interface becomes completely unusable afterwards. > The issue was discovered and fix tested by Hrvoje Popovski, thanks! > (mikeb@) ~ if_ix.c > Improve error handling and don't fail if SFP module is not present; > tested by Hrvoje Popovski, thanks! (mikeb@) ~ ixgbe_x550.c > Don't forget to return an error (mikeb@) ~ pcidevs > X557 is the name of an external PHY not the PCI device > Rename 8086:15a[abce] back to X552, give 8086:15ad a proper moniker > X552/X557-AT and the yet-unreleased parts 8086:15c* are tentatively > named X553. (mikeb@) ~ pcidevs.h ~ pcidevs_data.h > regen (mikeb@) ~ if_iwn.c ~ if_iwnvar.h > Add mira support to iwn(4). > Please let me know about any regressions. > Tested by myself, tb@, okan@, jca@, naddy@, mlarkin@ > ok tb@ jca@ (stsp@) ~ azalia.c > Return ENODEV if playback is requested on devices with no DACs or > recording is requested on devices with no ADCs. Many thanks to > Bryan Vyhmeister <bryan at bsdjournal.net> for testing & debugging this. > (ratchov@) ~ if_iwm.c > iwm(4) was stripping some bits from the MCS index value before passing > it to bpf for tcpdump(8). Fix it so MCS >= 8 get passed on correctly. > ok phessler@ (stsp@) ~ if_ix.c > Update the media as the last step in the SFP module configuration > The problem noticed, fix tested and OK procter@ (mikeb@) ~ if_iwm.c ~ if_iwn.c > Make retry-heavy rates less attractive to mira. > The number of retried frames shrinks significantly. > ok tb@ (stsp@) ~ if_iwm.c > In iwm(4), do not enable HT protection (RTS) unconditionally if the AP > requires > protection from 20MHz-only STAs on a 40MHz channel. We do not support 40MHz > channels yet so there is nothing to protect ourselves from. It is the 40MHz > users who need to start using RTS when a 20MHz-only user shows up. (stsp@) ~ if_iwm.c ~ if_iwmreg.h > Add support for MIMO Tx rates (MCS 8-15) to iwm(4). > The nominal maximum Tx rate is now 144Mbit/s (MCS 15, 20MHz channel, SGI). > In practice it's more around 30Mbit/s, though. The most significant > limiting > factor is probably lack of Tx aggregation support. (Due to protocol > overhead, > reaching the nominal max is pretty much impossible anyway. When shopping > wifi > devices, do not believe what stickers on the box are saying; full of lies!) > But APs will send us aggregates, so Rx should be faster than Tx (which was > already the case, just less pronounced). > Tested by phessler@, bmercer@, tb@ > ok tb@ (stsp@) dev/pv ~ pvbus.c > The kvop is not mandatory to query the type, fixes hostctl -t on vmm(4) > VMs. > OK mikeb@ (reyk@) ~ xen.c > Remove some leftovers from before the dynamic grant table code (mikeb@) ~ xenstore.c > Return proper error values from xs_{get,set}prop (mikeb@) ~ xenstore.c > Factor out the polling loop into a separate function (mikeb@) ~ xenstore.c ~ xenvar.h > Add a simple mechanism to poll for a change in the property value (mikeb@) + xbf.c > A driver for Xen Blkfront heavily based on vdsk(4) from kettenis@ (mikeb@) ~ files.pv > Add xbf(4) (mikeb@) ~ xbf.c > splbio isn't doing us any good here and prevents polling from working > (mikeb@) ~ xbf.c > Fall back to the minimum amount of ring pages > Some AWS volumes lack both max-ring-page-order and max-ring-pages > properties so we have to default to a minimum amount of 1 ring page. > Noticed and fix tested by reyk@ on EC2. (mikeb@) ~ xbf.c > Response status field is signed; adjust the debug message (mikeb@) ~ xbf.c > Add required padding to the response descriptor > Xen source code relies on the compiler to pad members of the structure > representing the descriptor layout in memory; we're however trying to > be more defensive and define packed structures. > Figured out the hard way with reyk@. (mikeb@) ~ xbf.c > Silence scan-build; with prodding from jsg@ (mikeb@) ~ xenstore.c ~ xenvar.h > New XenStore public API function to read numeric values > A need for a function to perform string to number conversion arose > when domain identifier needed to be read and converted to numerical > representation. With xbf(4) the usage became broader as greater > values (such as the sector count) needed to be converted. And as a > result another function was implemented to perform string to unsigned > long long conversion but unfortunately multiplication overflows were > not handled correctly. This new version consolidates the code in > one place and exports a proper XenStore API function to get and set > numeric values. The new atoull function borrows multiplication > overflow detection logic from the libc. (mikeb@) ~ xen.c > Convert to the new xs_{get,set}num XenStore API (mikeb@) ~ xbf.c > Convert to the new xs_{get,set}num XenStore API (mikeb@) ~ xbf.c > Don't fail if optional feature properties aren't found > Nathanael Rensen has noticed that the driver would fail to attach if > optional "feature-barrier" or "feature-flush-cache" properties cannot > be fetched and has provided a patch to solve the issue, thanks! (mikeb@) ~ xbf.c > Bring back the sector count variable as it's used in the debug printf > (mikeb@) dev/usb ~ uaudio.c > Remove unused variable. From Michael W. Bombardieri <[email protected]>. Thanks! > (ratchov@) net ~ route.c > Since net/route.c r1.337 interface priority factors into route priority > when RTF_CONNECTED routes are added to the routing table. > Specify a route priority calculated in the same way when deleting such > routes. > Makes route add and delete code paths consistent again. > ok mpi@ (stsp@) ~ switchofp.c > Add missing prototypes for all functions declared in the file. > ok reyk@ (rzalamena@) ~ switchofp.c > Remove the flow id from the flow entry struct and the global variable, > since they were not being used and the OpenFlow specification doesn't > mention anything about them. > ok reyk@ (rzalamena@) ~ switchofp.c > Propagate error type in validation functions that call > swofp_validate_action(), because actions have a different class of errors. > While there update the error type and error variables type to match the > swofp_send_error() prototype. (rzalamena@) ~ pf.c > Use the sizeof udphdr not the sizeof a pointer to it in the af-to > specific part of pf_test_state_icmp(). This worked by accident on LP64 > archs as the struct is eight bytes long. > ok mikeb@ bluhm@ krw@ jca@ (jsg@) net80211 ~ ieee80211_mira.c > avoid a potentially uninitialised return value > ok stsp@ (jsg@) ~ ieee80211_mira.c > Fix mira's next intra-rate calculations for MCS >= 8. > ok tb@ phessler@ (stsp@) ~ ieee80211_mira.c ~ ieee80211_mira.h > Make mira rate scaling actually work with MIMO Tx rates. > The previous approach with an extra timeout was dumb (and of course > untested). > Additional fixes include: > - Take HT protection settings into account when determining whether RTS is > used. > - Stop probing the current rateset as soon as measurements become worse. > - Properly move probing timeouts for bad rates further into the future. > Tested with MIMO-enabled iwm(4) (MCS 0-15) and also iwn(4) (MCS 0-7 only). > Early versions also tested by phessler@ and bmercer@, and more testing by > tb@. > ok tb@ (stsp@) netinet ~ igmp.c ~ in.c > Remove recursive splsoftnet()s in ioctl(2) path. (mpi@) ~ udp_usrreq.c > Pass the correct offset of the next protocol field for the given IP > version to the upper layers. The stack will set this field to IPIP > later on, so make sure it doesn't overwrite the packet in the wrong > location. > ok bluhm@ deraadt@ stsp@ (patrick@) == usr.bin =========================================================== 09/10 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin dc ~ dc.1 > replace all references to bn(3) with BN_new(3), > and make sure all BN*(3) pages point back to BN_new(3) (schwarze@) doas ~ doas.conf.5 > Be more explicit about the "args" syntax. > In part from a patch from Anton dot Lindqvist at gmail dot com. > OK tedu@ (schwarze@) ftp ~ fetch.c > Avoid printf of a NULL pointer as a string in debug mode. > OK deraadt@ (millert@) ~ fetch.c > Avoid splitting the "Requesting %s" printf and its trailing newline. > Fixes a missing newline in one place and an extra one later on when > both debug and verbose are set. (millert@) mandoc ~ read.c > When reporting "whitespace at end of input line" on lines ending with > roff(7) comments, let the column number in the message point to the > end of the line rather than to the beginning of the comment. > Improvement suggested by bluhm@. (schwarze@) ssh ~ sshd.c > Unlink PidFile on SIGHUP and always recreate it when the new sshd starts. > Regression tests (and possibly other things) depend on the pidfile being > recreated after SIGHUP, and unlinking it means it won't contain a stale > pid if sshd fails to restart. ok djm@ markus@ (dtucker@) ~ sshconnect2.c > Fix public key authentication when multiple authentication is in use. > Instead of deleting and re-preparing the entire keys list, just reset > the 'used' flags; the keys list is already in a good order (with already- > tried keys at the back) > Analysis and patch from Vincent Brillault on bz#2642; ok dtucker@ (djm@) ~ ssh.c > make IdentityFile successfully load and use certificates that have no > corresponding bare public key. E.g. just a private id_rsa and certificate > id_rsa-cert.pub (and no id_rsa.pub). > bz#2617 ok dtucker@ (djm@) ~ sshd.c > log connections dropped in excess of MaxStartups at verbose LogLevel; > bz#2613 based on diff from Tomas Kuthan; ok dtucker@ (djm@) tmux ~ key-bindings.c ~ server-client.c > Make prefix work in all tables (except the prefix table). Users who want > to avoid this can set prefix to "none" and bind send-prefix > themselves. Allows C-b t be bound in the copy mode tables again, pointed > out by millert@. (nicm@) ~ tty.c > Only skip moving the cursor if it is already in the last position _on > the same line_, fixes redraw bug reported by patrick keshishian. (nicm@) ~ status.c > Do not clear the prompt when a message is shown, just leave it around and > return to it when the message is finished. (nicm@) ~ cmd-send-keys.c > Fix send-keys with UTF-8. (nicm@) ~ input.c ~ screen-write.c ~ tmux.c ~ tty-term.c > Spacing nits. (nicm@) ~ cmd-send-keys.c > -N without arguments needs to set prefix count for the mode command, so > that M-1 etc work. Reported by Theo Buehler. (nicm@) == usr.sbin ========================================================== 10/10 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin dhcrelay ~ dhcpd.h ~ dhcrelay.c ~ dispatch.c > Rename function discover_interfaces into get_interface and change its > prototype to be more useful. > ok reyk@ (rzalamena@) ~ dhcrelay.c > pledge(2) dhcrelay with "stdio route". route is needed for interface > ioctls. > OK rzalamena@ (reyk@) ~ dhcrelay.c > If the BROADCAST flag is set on a BOOTREPLY, the RFC specifies that > we SHOULD forward the packet not only as L3 broadcast, but also as > L2 broadcast. Apparently that helps on older machines that can't > handle L2 unicast replies. > ok jca@ (patrick@) ~ dhcrelay.c > DHCP requests can be relayed through multiple relays. Currently we > drop requests that have already been relayed. To allow usage in the > middle of a chain, remove this check and only set giaddr if it has not > been set yet. This giaddr will be used by the DHCP server to identify > which subnet the client is connected to. > RFC 1542 specifies that we should increase the hop counter every time > we relay a request. If we receive a request whose hop counter exceeds > the value of 16 we must silently drop it. > ok jca@ (patrick@) ~ bpf.c ~ dhcpd.h ~ dhcrelay.c ~ dispatch.c > Simplify get_interfaces function, make it return NULL if we didn't find > the interface and abort dhcrelay with a more friendly message when we > don't have an address configured in the interface. > ok jca@ (rzalamena@) ~ bpf.c ~ dhcpd.h ~ dhcrelay.c ~ dispatch.c ~ packet.c > Clean up function prototypes: use a single struct to hold all address > information instead of passing multiple different parameters. This also > prepares the dhcrelay code to receive new features, like: IPv6, layer 2 > relaying. > ok jca@ (rzalamena@) ntpd ~ constraint.c > Use the stack to hold the constraint child process variables instead of > using the heap. > ok bcook@ (rzalamena@) ospfctl ~ ospfctl.c > Also print the mtu when showing interface details > ok sthen@ benno@ (jca@) syspatch ~ syspatch.sh > Remove the ugly temporary quirks. (ajacoutot@) ~ syspatch.sh > If we end up creating a rollback tarball from an empty list of files, it > means > we are missing a base set. In this case, error out right away or we may end > up > having the patch supposedly installed but without its corresponding > rollback > tarball. > For now we only support *full* installations. > installed patches mismatch reported by Marc Benslahdine (ajacoutot@) ~ syspatch.sh > Explicit error when running on unsupported release. (ajacoutot@) ~ syspatch.sh > Tweak comment. (ajacoutot@) ~ syspatch.sh > Catch mtree(8) error; it's only run when applying patches and we already > check for read-only... in this case. (ajacoutot@) ~ syspatch.sh > Better matching and remove a useless use of sort(1). (ajacoutot@) ~ syspatch.sh > Missed in previous. (ajacoutot@) ~ syspatch.sh > Cleanup syspatch directories that do not contain a tarball; it means it > was not applied properly. (ajacoutot@) ~ syspatch.8 ~ syspatch.sh > Make it possible to install patches even if we don't have all sets > installed > (e.g. no x sets); in this case, syspatch will skip the patch *but* it will > still > be listed as available. This will allow applying the patch in case sets are > installed later on. (ajacoutot@) vmd ~ virtio.c > Add debug message to print VM's mac addresses (lladdr). (reyk@) =============================================================================== _______________________________________________ owc mailing list [email protected] http://www.squish.net/mailman/listinfo/owc
